It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.

+

The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

+

+

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on Windows 7 and 8.

== Metadata ==

== Metadata ==

−

* Three date/time stamps that relate to the last time the target was accessed by the given shortcut file. (More testing needs to be done to determine exactly how these date/time stamps relate to the target.)

+

* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;

Revision as of 13:47, 10 February 2013

Contents

File Format

The Windows Shortcut file has the extension .lnk.
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.

Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms Jump Lists files on Windows 7 and 8.

Metadata

MAC times of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;